[CERT-daily] Tageszusammenfassung - 26.01.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 25-01-2023 18:00 − Donnerstag 26-01-2023 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Exploit released for critical Windows CryptoAPI spoofing bug ∗∗∗
---------------------------------------------
Proof of concept exploit code has been released by Akamai researchers for a critical Windows CryptoAPI vulnerability discovered by the NSA and U.K.s NCSC allowing MD5-collision certificate spoofing. Tracked as CVE-2022-34689, this security flaw was addressed with security updates released in August 2022 [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-windows-cryptoapi-spoofing-bug/


∗∗∗ PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration ∗∗∗
---------------------------------------------
Cybersecurity researchers have unearthed a new Python-based attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022."This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix said in a report [..]
---------------------------------------------
https://thehackernews.com/2023/01/pyration-new-python-based-rat-utilizes.html


∗∗∗ Massive Supply-Chain-Attacke auf Router von Asus, D-Link & Co. beobachtet ∗∗∗
---------------------------------------------
Angreifer haben derzeit weltweit eine kritische Schwachstelle in Wireless-SoCs von Realtek im Visier. In Deutschland soll es Millionen Attacken gegeben haben. [...] Von der Lücke sind rund 190 IoT-Modelle von 66 Herstellern betroffen. Eine Auflistung von betroffenen Geräten findet man in der ursprünglichen Warnmeldung am Ende des Beitrags. Sicherheitspatches von Realtek sind schon seit Sommer 2021 verfügbar.
---------------------------------------------
https://heise.de/-7471324


∗∗∗ Cybercrime: Polizei zerschlägt Ransomware-Gruppe "Hive"​ ∗∗∗
---------------------------------------------
Deutsche Ermittler haben in Zusammenarbeit mit den Behörden in den Niederlanden und den USA die Kontrolle über das Ransomware-Netzwerk "Hive" übernommen.
---------------------------------------------
https://heise.de/-7472192


∗∗∗ Chinese PlugX Malware Hidden in Your USB Devices? ∗∗∗
---------------------------------------------
The PlugX malware stood out to us as this variant infects any attached removable USB media devices such as floppy, thumb or flash drives and any additional systems the USB is later plugged into.
This PlugX malware also hides actor files in a USB device using a novel technique that works even on the most recent Windows operating systems (OS) at the time of writing this post. 
---------------------------------------------
https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/


∗∗∗ AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software.
---------------------------------------------
https://us-cert.cisa.gov/ncas/alerts/aa23-025a


∗∗∗ Achtung: Phishing zur Kontensperrung zielt auf Ing-Banking-Kunden (Jan. 2023) ∗∗∗
---------------------------------------------
us gegebenem Anlass greife ich die nächste Phishing-Kampagne hier im Blog auf, die sich an Kunden von Banken richtet. Kunden der Online-Bank Ing erhalten in einer Kampagne eine Phishing-Mail mit dem Hinweis, dass das Konto gesperrt worden sei, weil nicht auf eine Nachricht der Bank reagiert worden sei.
---------------------------------------------
https://www.borncity.com/blog/2023/01/26/achtung-phishing-zur-kontensperrung-zielt-auf-ing-banking-kunden-jan-2023/


∗∗∗ New Mimic Ransomware Abuses Everything APIs for its Encryption Process ∗∗∗
---------------------------------------------
Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Sicherheitsupdate BIND: Angreifer könnten DNS-Server mit Anfragen überfluten ∗∗∗
---------------------------------------------
Die Entwickler haben in der DNS-Software auf Open-Source-Basis BIND drei DoS-Lücken geschlossen.
---------------------------------------------
https://heise.de/-7471773


∗∗∗ Wordpress-Plug-in: Kritische Lücke in Learnpress auf 75.000 Webseiten ∗∗∗
---------------------------------------------
Das Wordpress-Plug-in Learnpress kommt auf über 100.000 Webseiten zum Einsatz. Mangels installierter Updates sind 75.000 davon für Kompromittierung anfällig.
---------------------------------------------
https://heise.de/-7471283


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (git), Fedora (libXpm and redis), Oracle (bind, firefox, grub2, java-1.8.0-openjdk, java-11-openjdk, kernel, libtasn1, libXpm, and sssd), Red Hat (thunderbird), SUSE (freeradius-server, kernel, libzypp-plugin-appdata, python-certifi, and xen), and Ubuntu (bind9, krb5, linux-raspi, linux-raspi-5.4, and privoxy).
---------------------------------------------
https://lwn.net/Articles/921345/


∗∗∗ libcurl as used by IBM QRadar Wincollect agent is vulnerable to denial of service (CVE-2022-43552, CVE-2022-43551) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857685


∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to query parameter smuggling due to [CVE-2022-2880] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857849


∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-2879] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857851


∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-41715] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857853


∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to elevated privileges due to [CVE-2022-42919] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857847

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily